GitHub Dependabot has issued the following alert: "build(deps): bump requests from 2.31.0 to 2.32.2 in /drivers/gpu/drm/ci/xfails. When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. Severity: 5.6 / 10 (Moderate) Attack vector: Local Attack complexity: High Privileges required: High User interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None CVE ID: CVE-2024-35195" To avoid disturbing everyone with the kernel repo hosted on GitHub, I suggest we upgrade our python dependencies once again to appease GitHub Dependabot. Link: https://github.com/dependabot Link: https://github.com/psf/requests/pull/6655 Signed-off-by: WangYuli <wangyuli@xxxxxxxxxxxxx> --- drivers/gpu/drm/ci/xfails/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index 2fae1299e07b..f69b58356a37 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -7,7 +7,7 @@ charset-normalizer==3.2.0 idna==3.4 pip==23.3 python-gitlab==3.15.0 -requests==2.31.0 +requests==2.32.0 requests-toolbelt==1.0.0 ruamel.yaml==0.17.32 ruamel.yaml.clib==0.2.7 -- 2.45.2